Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virusburst


  • This topic is locked This topic is locked
8 replies to this topic

#1 ruof

ruof

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 31 October 2006 - 01:43 AM

In my taskbar (by the clock) there is an icon, switches between a yellow quesiton mark and a yellow "X" on a blue cirlce. If i click on it, it takes me to a website for VirusBursters. If i put my mouse over it, it says it's "Critical System Errors" and if i click on it, it opens a new tab in my browser and takes me to Virusbursters webpage. Occasionally a balloon pops up that says "Critical System Errors" and then it says different messages everytime, and clicking on it just brings me to the Virusbursters website.

I've followed the Preparation Guide, running adware, and all the subsequent scans, and have installed the Zone Alarm firewall. I just want this thing off. It's doesn't seem to be doing much except the occasional balloon that pops up, which is annoying and whatever else it does behind the scenes. Thanks a bunch for any help. Here's my log:


Logfile of HijackThis v1.99.1
Scan saved at 12:27:41 AM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\VideoKeyCodec\iesplugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ferrateen - {27321538-5739-4aa1-b84c-7d18e4383f1f} - C:\WINDOWS\system32\rrtcany.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


m

#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 AM

Posted 31 October 2006 - 07:30 AM

Hi and welcome. My name is Kairis and I will be helping you.
You have Smitfraud-infection! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 ruof

ruof
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 31 October 2006 - 10:26 AM

Thanks for helping me. I ran that SmitFraud and here's the copy of the Text file that popped up.

SmitFraudFix v2.117

Scan done at 9:22:02.32, Tue 10/31/2006
Run from C:\Documents and Settings\Taylor\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\rrtcany.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Taylor


C:\Documents and Settings\Taylor\Application Data


Start Menu


C:\DOCUME~1\Taylor\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\VideoKeyCodec\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 AM

Posted 01 November 2006 - 08:40 AM

Hello ruof, thanks for the logs. I apologize for the delay...
Okey, lets fix it:
Step 1:
You should print out these instructions,
or copy them to a NotePad file for reading while in Safe Mode,
because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes"
by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected.
You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process;
please copy/paste the content of that report into your next reply along with a fresh HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Step 2:
Download : GMER
* Unzip it and double-click GMER.exe
* Click the rootkit-tab and click scan.
* Do NOT check the "Show All" box during the scan!!
* Once done, click Copy.
* This will copy the results to clipboard.
* Paste the results in your next reply

#5 ruof

ruof
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 01 November 2006 - 12:32 PM

YES!! I think that may have gotten it. The icon in my task bar is gone. Thanks for your help. Anymore to do?

****Here's the log from the SmitFraud in safemode:

SmitFraudFix v2.117

Scan done at 11:10:25.64, Wed 11/01/2006
Run from C:\Documents and Settings\Taylor\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\rrtcany.dll Deleted
C:\Program Files\VideoKeyCodec\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End





****Here's the log from the GMER run:

GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-01 11:21:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 9128 805010AC 4 Bytes
.text ntkrnlpa.exe!ZwCallbackReturn + 9152 805010C4 4 Bytes
.text ntkrnlpa.exe!ZwCallbackReturn + 9168 805010D4 4 Bytes
.text ntkrnlpa.exe!ZwCallbackReturn + 9188 805010E8 8 Bytes
.text ntkrnlpa.exe!ZwCallbackReturn + 9197 805010F1 3 Bytes
.text ...
.text ntkrnlpa.exe!ZwYieldExecution + 10428 805010E8 8 Bytes
.text ntkrnlpa.exe!ZwYieldExecution + 10437 805010F1 3 Bytes
.text ntkrnlpa.exe!ZwYieldExecution + 10492 80501128 8 Bytes

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\hkcmd.exe[352] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D13E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\system32\igfxpers.exe[444] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D83E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[452] WS2_32.dll!connect 71AB406A 5 Bytes JMP 010E3E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\system32\WLTRAY.EXE[460] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\stsystra.exe[544] WS2_32.dll!connect 71AB406A 5 Bytes JMP 009E3E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll
.text ...
.text C:\Documents and Settings\Taylor\Desktop\gmer.exe[3612] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 C:\PROGRA~1\mcafee.com\vso\McVSSkt.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [AA3342A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [AA3342A0] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A8EF5C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A8EF27C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A8EEE60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A8EEEAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A8EF9958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A8EFC821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A8F0538A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A8F04D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A8EFEBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A8EFF331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A8F0D4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A8EF5B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A8EF1948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A8EFB46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A8F0C79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A8F0BC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A8EF22FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A8F0C1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A8F071F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA089701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA089701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA089701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA089701] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA089701] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [AA08989D] tfsnifs.sys

---- EOF - GMER 1.0.12 ----

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 AM

Posted 02 November 2006 - 09:59 AM

Hi there, thanks for the logs.
Please download Dr.Web CureIt to your desktop:
  • Double-click the drweb-cureit.exe file and allow it to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow > to the right and the scan will begin.
  • At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found: Posted Image
  • Then click the green cup icon right below
    and select Move incurable as you'll see in next image:
    Posted Image
    This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
  • Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
  • After the restart, post the contents of the Dr.Web.csv log file which you saved.


#7 ruof

ruof
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 03 November 2006 - 03:18 PM

Alrighty, sorry that took so long. been busy.

here's all that file said.

A0038645.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP104;Tool.Prockill;Incurable.Moved.;
A0038646.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP104;Tool.ShutDown.11;Incurable.Moved.;


thanks

#8 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 AM

Posted 03 November 2006 - 04:23 PM

After reviewing your log, it appears to be clean of any malware. Please notify me of any problems you still are having. Other than that, you MUST take the time to read this:
Posted ImagePosted ImageALL-CLEAN SPEECHPosted ImagePosted Image

Next, let us reset your system restore points. Please follow these simple steps in order:
Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.

    Restart your computer

  • Turn ON System Restore.
  • On the Desktop, right-clickMy Computer.
  • Click Properties.
  • Click theSystem Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then clickOK.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Make sure you are protected with a known anti-virus software and a firewall

Computer Virus - A computer virus is a dangerous computer program with the characteristic feature of being able to generate copies of itself, and thereby spreading. Additionally most computer viruses have a destructive payload that is activated under certain conditions.

Antivirus software is a type of application you install to protect your system from viruses, worms and other malicious code. Most antivirus programs will monitor traffic while you surf the Web, scan incoming email and file attachments and periodically check all local files for the existence of any known malicious code.

Firewall - an extra layer of security built into computers on a network, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders.

Windows XP will supply its own firewall but it will only monitor traffic in one direction. It does not block outgoing traffic. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution.

Recommended Anti-Virus Programs

Avast - Free Edition
AVG Free Version
NOD32

Recommended Firewalls

Sunbelt Kerio Firewall
ZoneAlarm Free Edition


Posted Image

Next, if they're not already present, I would recommend the download and installation of some of the following anti-spyware programs, and the updating of them regularly. Having only a firewall and anti-virus software is not enough to keep you safe from spyware, as both are mostly weak against the onslaught of spyware today out there on the internet :
  • Ad-Aware SE - Ad-Aware SE is an excellent program against spyware but usually adware. Works well together with Spybot S&D. It's free. A tutorial can be found here.
  • Spybot Search & Destroy - Spybot - Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer. Modules chosen for removal can be sent directly to the included file shredder, ensuring complete elimination from your system. For advanced users, it allows you to fix Registry inconsistencies related to adware and to malicious program installations. The handy online-update feature ensures that Spybot always has the most current and complete listings of adware, dialers, and other uninvited system residents. Spybot S&D goes great together with Ad-Aware SE as a anti-spyware/adware arsenal.

    Version 1.4 has the first native multi-installation scanner, noticeably faster than the previous version during scans, and has improved the tools and updated the interface. Spybot S&D is absolutely free. A tutorial can be found here.
  • Spyware Blaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. SpywareBlaster is free. A tutorial can be found here.
  • IE Spyad - IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites. IE-SPYAD is free. A tutorial can be found here.
  • Spyware Doctor - Spyware Doctor is a top-rated malware & spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, keyloggers, spybots and tracking threats. Protect your privacy and computing habits from prying eyes and virtual trespassers with the help of Spyware Doctor. This one you will have to pay, but it is worth every penny.
  • Windows Defender (Beta 2) - Free program from Microsoft that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps you stay productive.
  • Fire Trust Sitehound - Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer.
  • WinPatrol - WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files. This one is free but has a "Plus" version that you can pay for.
  • A-squared - Free version can scan for worms, trojans, dialers and spyware. The non-free version has realtime-monitoring.
  • ewido anti-malware - Highly underrated from the beginning by most critics, ewido anti-malware offers protection from spyware, adware, trojans and dialers. The first time you download it, it will have realtime-monitoring. After the trial, the realtime-monitoring disappears but you will still be able to use it for scanning and removing present infections for free.
  • Spysweeper - Webroot's Spy Sweeper is well known for being one of the better spyware detection and removal programs. A 30-day free trial is available, however, it will not remove any spyware it detects; for that, you'll need to purchase the product.
  • SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! This one is absolutely free.


    ALERT: Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You can find the list here.
Alternate Web Browsers


Because of the way Microsoft Windows is designed, Microsoft Internet Explorer is deeply embedded into Windows. This allows spyware and adware deep access to the Windows operating system. In addition, Internet Explorer has "features" that are exploited by the spyware authors, such as ActiveX and other integrated scripting operations. Since IE comes with every copy of Windows, it's easy for the spyware authors to assume those features are present and active.

There are several alternative web browsers that have fewer vulnerabilities. Firefox and Opera are excellent choices to replace IE.


1) Mozilla Firefox - Firefox is a light, small, fast browser that has all the standard features of a web browser and has fewer vulnerabilities.
2) Opera Web Browser- Opera displays security information inside the address bar that indicates the level of security present on a site. Opera also provides protection against phishing attacks and automatically checks for security updates.


Note: All Microsoft Updates can only be downloaded/viewed through the Internet Explorer web browser.

Had a hard time with Malware? Then make your complaint and Stand Up and Be Counted HERE!!

You can post a complaint here in that forum through the purple link above. There is no need to register. Let your voice be heard on how and why you got infected and share it with others. Remember, a little complaint can go a long way to stopping the spread of malware on the internet.

Keep your Sun Java UP-TO-DATE!!!

It is very important not only to keep Sun Java up to date but also to remove older versions which have security holes and can be exploited by malware.

- To check what version you have installed, please go here. If your Java version does not match the latest one found [b]here
, you will need to update it by clicking your download choice (preferably 'Windows Online Installation') and following the instructions listed.

- If you do need to update your Sun Java, you must uninstall all older versions by the Add/Remove Programs in the Control Panel first.


Finally, keep your Microsoft-based operating system up to date!!!!!! Visit Microsoft Update regularly for the latest protection!!!!!

Goodbye and keep safe!! Don't let me see you around here again!!! ;)

#9 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 AM

Posted 12 November 2006 - 11:28 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users